Problem/Motivation

Xss::filter() damages attribute names with chars other than alphanumeric or dash.

E.g. <div data-x_y="hello"></div> becomes <div y="hello"></div>

I already reported this in a comment in #2544110-165: XSS attribute filtering is inconsistent and strips valid attributes, but I think it is useful to have a dedicated issue for reference.
This is also a place to have a patch that people can use to fix this issue specifically, without a full buy-in to the work from #2544110: XSS attribute filtering is inconsistent and strips valid attributes.

In the end, fixes for both issues will likely conflict.

See https://stackoverflow.com/a/53563849/246724 where allowed chars in attribute names are discussed.

Steps to reproduce

Call Xss::filter('<div data-x_y="hello"></div>').

Expected: One of:

  • <div data-x_y="hello"></div>, if we want to keep the attribute.
  • <div></div>, if we want to remove the attribute.

Actual: <div y="hello"></div>

Proposed resolution

Always parse the complete attribute name. Then decide whether to keep the attribute or not.
(I think in general we just keep it)

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Issue fork drupal-3372586

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

donquixote created an issue. See original summary.

donquixote’s picture

The merge requests only adds underscore support and nothing else.
And only if the underscore is not the first character in the attribute name.
Please do _not_ merge it as-is.

donquixote’s picture

Issue summary: View changes
donquixote’s picture

Issue summary: View changes
donquixote’s picture

Issue summary: View changes

prudloff made their first commit to this issue’s fork.

prudloff’s picture

Status: Active » Needs review

I can confirm this is still a problem.

I rebased the MR and tests are passing so I think this is ready for review.

Please do _not_ merge it as-is.

I am not sure I understand why this should not be merged.
If it is because #2544110: XSS attribute filtering is inconsistent and strips valid attributes is working on a larger solution, I still think it is useful to have this small fix in the meantime.

smustgrave’s picture

Status: Needs review » Needs work

Can proposed solution be updated with what was decided, seems like open question.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.